As of May, 2018, businesses capturing data on EU residents will be required to abide by the General Data Protection Regulation (GDPR). The law was enacted to protect personal information and give users more control over their data. When GDPR was passed, much of the discussion focused on consumer-level data of large tech companies. While these implications are vast, there hasn’t been the same attention given to data protections of employees and independent contractors who are also covered under the law.
Adequate record keeping of worker information is a big hurdle in complying with GDPR. While data gathering and storage practices are typically more mature for full-time employees due to tested HR policies, processes for a company’s external workforce are usually not as developed. Information may live in various locations like a static spreadsheet which can become outdated when new versions are created or an email inbox that can lose data when an employee exits the company. It’s also rare that these candidates are aware of a company’s data storage policies or offered the ability to destroy it.
What You Need to Know
Data protection violations may include a fine of up to 4% of total turnover. It can also mean forced suspension of certain data collection activities. It’s important to understand the background so that you can remain compliant.
GDPR mandates that when you deal with data relating to people, you must take appropriate steps to protect it. Data can extend to anything collected about a person that may reference an identifiable person directly through a name, identification number, location data or online identifier. Data subjects must be fully informed and consented about what and how their data is being collected and used. They also need to be notified in how they can erase, protect or stop its processing.
If you’re a part of the data collection ecosystem, you will be required to take certain steps depending on your role. To begin, review your collection and processing program. You’ll then use this information to determine if you’re a controller or processor. Each have responsibilities and warrant the need to work together to ensure data rights are protected. A controller determines the purposes and ways that personal data is processed, while a processor is a party that process data on behalf of the controller. That means that the controller could be a company or organization whereas a processor could be a SaaS, IT or other company that is processing data systematically. A more complete definition is below.
(7) ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
(8) ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
Your optimum course of action is to make your collection methods transparent. Give your candidates and current freelance workforce the authority to retain, move, or destroy the data that your organization has on them. In this case, a sign up form with opt-in or out boxes is an easy way to allow your workers to select their preference when submitting data.
We also recommend a central solution to help collect and organize your employee information. Keeping a system of record that is secure, easily maintained and up-to-date is essential. Platforms such as applicant tracking systems and freelancer management systems can help build a bridge to compliance by keeping a centralized database of employee data while also notifying them of various data activities.
At Shortlist, we worked with our engineering, security and legal teams to make both our product and our legal terms in line with GPDR. As part of GDPR Readiness Project we’ve improved our security infrastructure and practices including strengthening data encryption at all parts of our tech stack. We’ve also self-certified under the EU / US Privacy Shield frameworks to comply with data protection requirements when transferring personal data to the US.
It’s likely that changing data protection laws will continue to challenge organizations both operationally and financially. Internally we’ve found that being proactive with our data procedures and having a long-term roadmap for action has been necessary to ensure our compliance. We continually monitor the guidance around GDPR to make certain that our product and processes are complying with new guidelines as they become effective.